Skip Navigation

Research Funding

Skip Content Marketing
  • Share this:
  • submit to facebook
  • Tweet it
  • submit to reddit
  • submit to StumbleUpon
  • submit to Google +

Data Security

Lock icon: This link will not work for public visitors.Some links will work for NIAID staff only.

This standard operating procedure (SOP) includes the following sections: Purpose, Procedure, Contacts, and Links.

Purpose

To ensure the protection of personally identifiable, sensitive, or confidential information resulting from NIH-supported research or belonging to the federal government.

Procedure

Grantees, contractors, and NIH staff must protect information systems containing identifiable, sensitive, or confidential data, whether electronic or hard copy.

This requirement pertains to data belonging to the federal government or resulting from NIH-supported research. All awardees and NIH staff must protect these data to prevent release or loss.

Some NIH-supported research is also covered by the Federal Information Security Management Act (FISMA; page 48). FISMA applies to contractors and grantees when the government owns the data.

Investigators, Grantees, Contractors, and Institutions

  • Do not put personally identifiable, sensitive, or confidential information about NIH-supported research or participants on portable electronic devices such as laptops, CDs, or flash drives. If you must use such devices, encrypt your data.
  • Limit access to personally identifiable information through password protection and other means.
  • Transmit research data only when you know the recipient's systems are secure.
  • See if the Federal Information Security Management Act (FISMA) applies to you.
    • FISMA does not apply to most grantees except cooperative agreements where data is transferred directly to the government.
    • FISMA applies when you collect, store, process, transmit, or use information on behalf of any government organization. FISMA applies only when the government owns the data.
    • For questions about whether your data falls under FISMA, contact your Information Systems Security Officer.
  • Understand that even if FISMA does not apply, you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
  • If you provide collected sensitive information to NIAID as a condition of your award, NIAID is responsible for protecting the transfer.
  • In the event of a data security breach, do the following.
    • Follow your institute's policy.
    • Also inform your NIAID program officer and grants management or contracting officer.
    • Your institute will pay expenses to address the breach out of indirect costs.

Peer Reviewers

Scientific Review Officers

  • Password protect review materials.
  • Emphasize to peer reviewers to immediately report the loss of application information.
  • If you learn of any loss of data, immediately contact NIAID's Information Systems Security Officer. Provide the following details:
    • Study section designation, name, and meeting dates.
    • Your contact information. OER will work primarily with you to resolve the situation.
    • Format of material.
    • Circumstances by which the data was lost.

NIAID Staff

  • Be aware that you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
  • Follow these mandatory guidelines for protecting your equipment:
    • Encrypt laptop computers with an approved encryption software package.
    • Encrypt portable media such as flash drives if they contain sensitive data, including personally identifiable information. For acceptable USB drives, see Lock icon: This link will not work for public visitors.FIPS Certified USB Drives.
    • Configure BlackBerry wireless handheld devices with an access password and other security features provided by the NIH BlackBerry Enterprise Server.
  • Do not store sensitive information on a Macintosh laptop due to the lack of National Institute of Standards and Technology-approved encryption software. You can use Mac laptops for sensitive data analysis if you use an encrypted removable device.
  • If you attend a study section meeting, do not take any notes that would identify reviewers, and do not discuss individual reviewer comments with investigators.
  • In the event of a data security breach, take the following steps:
    • Tell your supervisor and email NIAID's Information Systems Security Officer. Include details on when the breach occurred, scope of data loss, and possible impact if known.
    • If you lose an NIH-issued laptop or Blackberry, or you suspect loss of personally identifiable information, also inform the NIH Helpdesk within one hour.

Contacts

NIH IT Service Desk, 301-496-4357

NIAID's Information Systems Security Officer

If you have knowledge to share or want more information on this topic, email deaweb@niaid.nih.gov with this link and your message. Thanks for helping us clarify and expand our knowledge base.

Links

A Statement from the NIH Director, Elias A. Zerhouni, M.D., on Encryption and Data Security

Lock icon: This link will not work for public visitors.Encryption, Data Security, and NIH Peer Review (memo to staff)

Lock icon: This link will not work for public visitors.Guide for Identifying Sensitive Information

NIH and HHS Encryption Policies, Guidance, and Tools

NIH Renews Focus on Protecting Sensitive Data and Information Used in Research

Lock icon: This link will not work for public visitors.Responding to Loss of Sensitive Data and Other Information in NIH Grant Applications

Secure One HHS - Protecting America's Health and Human Services

Lock icon: This link will not work for public visitors.Secure One HHS Memorandum

Last Updated August 14, 2014

Last Reviewed August 14, 2014